is there a way in Apache, when using the mod_authnz_ldap module, to only have it ask for a login if the IP address is not within a defined, internal range? We have a site that we don't want people to have to log in from when they are in the office but when out of the office - from home or mobile etc they should have to authenticate.
Possible?
yes it is possible.
Asuming you use the LDAP authorization on a per Location basis:
<Location /your/path/here>
Order deny,allow
Deny from all
Allow from 192.168.0.
Auth...
<your complete ldap config here>
# if one of the above matches, go on
Satisfy any
</Location>
You can find the complete documentation for satisfy here
Related
Have an MediaWiki page, that provide an information about some software and products. Is not used for discussions, and only one admin can create pages. I prevent users to create own accounts, and is working fine.
As a bit of higher level of security, I will like to restrict login to admin panel from just one specific IP address.
For WordPress, I do it in Apache2 at next way:
<Directory "/opt/htdocs/www.xxxx.xxx/wp-admin">
Require all denied
Require ip a.b.c.d
Require ip e.f.g.h
</Directory>
How can I do the same, but with MediaWiki?
I want to allow the connection from my LAN and in the case, that the external ip matches my ip (for when I use my domain to connect internal to my http server via browser)
I found this:
Require forward-dns bla.example.org
but I get an 403 Forbidden :/
My .htaccess looks like this:
Order Deny,Allow
Deny from all
Allow from 192.168.254.1/24
Require forward-dns mydomain.de
Thank you :C
Here is the answer I have worked out:
I use a scipt to enter the IP address in the hosts file.
Follow the instructions from:
https://www.the-art-of-web.com/system/apache-auth-ddns/
After that it works with the following command in .htaccess
Allow from yourDomain.de
Its not the best answer, but it will work.
I want to do that:
documentRoot/.htaccess:
- allow access only if a user comes from a specific ip OR if he can authenticate
- all others should be rejected
documentRoot/somedir/:
- same rules as in documentRoot
documentRoot/otherdir/.htaccess:
- 202.111.22.3 should be rejected
- for the rest: allow access only if a user comes from a specific ip OR if he can authenticate
documentRoot/otherdir/csvexport/.htaccess:
- allow access to every one
My problem is the inheritance from parent htaccess files, i can not get it right, but i hope someone of you is able to solve my issue.
How to do that?
So you'll have something like this:
documentRoot/.htaccess
Allow From 12.34.56.78
Require valid-user
Satisfy any
documentRoot/otherdir/.htaccess:
Deny From 202.111.22.3
Allow From 12.34.56.78
Require valid-user
Satisfy any
documentRoot/otherdir/csvexport/.htaccess:
Allow From All
12.34.56.78 being the "specific ip" that you want to allow.
someone trying to access pages like
//mysqladmin//scripts/setup.php
Is it some hack attempt or .. ?
If yes then how i can block its ip from accessing mine website ?
Via htaccess or something else ?
As an update to this old question for those who still land here:
Order Allow Deny are deprecated as of Apache 2.4 and Require should be used.
<RequireAll>
Require all granted
Require not ip 1.2.3.4
</RequireAll>
Ranges, netmasks, etc. can also be specified.
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html (Deprecated)
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
To block special IP addresses you can put the following in a .htaccess file located in your directory, you like to restrict:
order allow,deny
deny from 1.2.3.4
allow from all
Where 1.2.3.4 is the IP you like to block.
But note that IP adresses change users and also attackers change IP adresses.
So this will not secure your application and potentially block leagal visitors.
The better solution will be to make sure your script does not accept malicious paths.
Append a base path to the path you get from the user
Make sure the path you get from the user does not contain '../'
can anybody recommend some really good resources for how to get Apache authenticating users with Kerberos.
Background reading on Kerberos would also be useful
Thanks
Peter
mod_auth_kerb is a good start: http://modauthkerb.sourceforge.net/. If you need Active Directory support, look here: http://support.microsoft.com/?id=555092.
I found mod_auth_spnego also quite okay, as it can use SSPI on windows instead of requiring MIT Kerberos. mod_spnego
Here's an example using Active Directory as the KDC:
http://oslabs.mikro-net.com/krb_apache.html
I liked this article about configuring apache to use Kerberos:
http://www.roguelynn.com/words/apache-kerberos-for-django/
(you may skip parts about django if you are not interested)
EDIT:
Fullblown answer
It is pretty easy to configure apache to use Kerberos authentication.
I am assuming you have correctly configured Kerberos on your machine.
1) Your webserver has to have keytab [1].
Bottom line, your webserver has to be able to read the keytab!
2) You have to have proper httpd module for authentication -- mod_auth_kerb:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
3) Then you have to tell apache about Kerberos:
<Location />
AuthName "Kerberos Authentication -- this will be showed to users via BasicAuth"
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
# this is the principal from your keytab (you may lose the FQDN part)
KrbServiceName HTTP/$FQDN
KrbAuthRealms KERBEROS_DOMAIN
Krb5KeyTab /path/to/http.keytab
Require valid-user
Order Deny,Allow
Deny from all
</Location>
Then apache will pass the user to your app via REMOTE_USER HTTP header.
And that's it.
I also advice you to turn on debugging logging in apache during setup. Be sure that you have correct time and httpd can read keytab, that's all.
[1] http://kb.iu.edu/data/aumh.html
[2] Main resource: http://www.roguelynn.com/words/apache-kerberos-for-django/